1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 |
- - hosts: [localhost]
- become: true
- tasks:
- - docker_network:
- name: mail
- - docker_volume:
- volume_name: postfix_config
- register: config_volume
- - name: copy trusted CA certs
- copy:
- src: ../smtp-tls-trusted-ca.pem
- dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/smtp-tls-trusted-ca.pem'
- register: smtp_trusted_ca_certs
- - name: create config
- copy:
- content: |
- # $myhostname prefix is a RFC requirement
- smtpd_banner = $myhostname ESMTP $mail_name quid agis?
- # RCPT TO matches $relay_domains => !reject_unauth_destination
- # http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
- smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unauth_destination
- mydestination =
- relay_domains = example.com
- # include TLS protocol & cipher in 'Received' header
- smtpd_tls_received_header = yes
- # + sasl username
- smtpd_sasl_authenticated_header = yes
- relayhost = relay.example.com:submission
- smtp_tls_security_level = secure
- smtp_tls_secure_cert_match = nexthop
- smtp_tls_CAfile = /etc/postfix/smtp-tls-trusted-ca.pem
- # docs recommend against whitelist
- smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
- smtp_tls_session_cache_database = btree:${data_directory}/smtp-tls-session-cache
- # http://www.postfix.org/MAILLOG_README.html
- maillog_file = /dev/stdout
- # http://www.postfix.org/COMPATIBILITY_README.html
- compatibility_level = 2
- dest: '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf'
- mode: a=r
- register: config
- - docker_container:
- name: postfix
- # 1.0.0-postfix3.4.5r0-amd64
- image: fphammerle/postfix@sha256:33c2dfc8d292b8399f7c61b206922b81c870ce5ae2c7e233fd1a38d420417154
- hostname: postfix-test
- volumes:
- - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/main.cf:/etc/postfix/main.cf:ro'
- - '{{ config_volume.ansible_facts.docker_volume.Mountpoint }}/smtp-tls-trusted-ca.pem:/etc/postfix/smtp-tls-trusted-ca.pem:ro'
- networks: [name: mail]
- purge_networks: yes
- published_ports: ['localhost:25:25']
- restart_policy: unless-stopped
- restart: '{{ config.changed or smtp_trusted_ca_certs.changed }}'
|